Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Microsoft Expands List of Blocked File Types in Outlook on the Web

Microsoft this week announced plans to add some new file extensions to the list of file types that are blocked in Outlook on the web.

When the change will be operated, it will immediately result in Outlook on the web users no longer being allowed to download attachments that have those file extensions, the tech giant explains.

Microsoft this week announced plans to add some new file extensions to the list of file types that are blocked in Outlook on the web.

When the change will be operated, it will immediately result in Outlook on the web users no longer being allowed to download attachments that have those file extensions, the tech giant explains.

The newly blocked file types, Microsoft claims, are rarely used, which means that the modification will have no impact on most organizations.

File types affected by the change include ones used by programing languages: “.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw” (all used by Python); “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.psd1”, “.psdm1”, “.cdxml” and “.pssc” (all used by PowerShell); and “.jar” and “.jnlp” (both used by Java).

Moreover, the tech giant will block “.appref-ms” (used by Windows ClickOnce), “.udl” (Microsoft Data Access Components (MDAC)), “.wsb” (Windows sandbox), and “.cer”, “.crt” and “.der” (used by digital certificates).

Microsoft also decided to block “.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab” and “.grp”. These are used by various applications and, while associated flaws have been patched, some organizations might still use older versions of the software.

Provided that users do complain about their inability to download those file types and that the organization wants to allow for the use of a particular file type, admins will have the option to add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If your organization requires that users be able to download attachment of these types from OWA, you should first ensure that our organization’s operating systems and application software are up-to-date (in the case files that are opened by application software) or ensure that your users are familiar with the risks associated with the file types (in the case of files that are interpreted by scripting software),” Microsoft explains.

Advertisement. Scroll to continue reading.

The company also explains that if a file extension is already present in the AllowedFileTypes list, it won’t be added to a policy’s BlockedFileTypes list.

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft says.

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Related: Turla Backdoor Controlled via Email Attachments

Related: Microsoft Patches Over 90 Vulnerabilities With August 2019 Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.